RE: Hacked (...still cleaning)

["Beauford, Jason" <jbeauford () EightInOnePet com>]

This wont delete it, but it might stop it from running:

Right Click "My Computer" and click Properties or Start => Settings => Control Panel => System

Click the Advanced Tab => Environmental Variables

Under System Variables modify the path and remove C:\WINNT\SYSTEM32 or C:\WINDOWS\SYTEM32.  Maybe remove 
C:\WIN..\SYSTEM as well.  

If you remove the paths, the file should not be able to be run from a commandline or from the START => Run menu, unless 
you manually specify the path in the command.

Just an idea :)


- JMB

-----Original Message-----
From: Mauricio Fernandez [mailto:mfernandez () fdta-valles org] 
Sent: Monday, April 18, 2005 4:34 PM
To: security-basics () securityfocus com
Subject: RE: Hacked (...still cleaning)


One thing I am trying to do is to hide the cmd.exe file to avoid the possibility of running some programs. I searched 
the file on the hole system and deleted from \system32\ and \I386\ folders, copied into a folder no included on the 
system path with a different name. But if I invoke cmd.exe, it appears again on \system32\

Does anyone knows how to remove it?


Mauricio Fernández S.
IT Manager
Tel. 591- 445-25160
Fax. 591- 441-15056
mfernandez () fdta-valles org
www.fdta-valles.org
Cochabamba - Bolivia